config = dict(
    sign_messages=True,
    validate_signatures=True,
    ssldir="/etc/pki/fedmsg",

    {% if env == 'staging' %}
    crl_location="https://stg.fedoraproject.org/fedmsg/crl.pem",
    {% else %}
    crl_location="https://fedoraproject.org/fedmsg/crl.pem",
    {% endif %}
    crl_cache="/var/run/fedmsg/crl.pem",
    crl_cache_expiry=86400,  # Daily

    certnames=dict([
    # This is the set of certs for this host, dynamically generated from the
    # ``fedmsg_certs`` host vars
    {% for cert in fedmsg_certs %}
    ("{{cert.get('alias', cert['service'])}}.{{inventory_hostname_short}}", "{{cert['service']}}-{{fedmsg_fqdn | default(ansible_fqdn)}}"),
    {% endfor %}
] + [
        # This is the beginning of the static list.  We should eventually remove
        # this.
        ("git.hosted03", "git-hosted03.vpn.fedoraproject.org"),
        ("git.hosted04", "git-hosted04.vpn.fedoraproject.org"),
        ("trac.hosted03", "trac-hosted03.vpn.fedoraproject.org"),
        ("trac.hosted04", "trac-hosted04.vpn.fedoraproject.org"),
        ("shell.hosted03", "shell-hosted03.vpn.fedoraproject.org"),
        ("shell.hosted04", "shell-hosted04.vpn.fedoraproject.org"),
    ] + [
        ("shell.anitya-frontend01", "shell-anitya-frontend01.vpn.fedoraproject.org"),
        ("anitya.anitya-frontend01", "anitya-anitya-frontend01.vpn.fedoraproject.org"),
        ("shell.anitya-backend01", "shell-anitya-backend01.vpn.fedoraproject.org"),
        ("anitya.anitya-backend01", "anitya-anitya-backend01.vpn.fedoraproject.org"),

        # FAF/retrace is on the qa network and talks to an inbound relay.
        ("shell.retrace01", "shell-retrace01.qa.fedoraproject.org"),
        ("shell.retrace02", "shell-retrace02.qa.fedoraproject.org"),
        ("faf.retrace01", "faf-retrace01.qa.fedoraproject.org"),
        ("faf.retrace02", "faf-retrace02.qa.fedoraproject.org"),

        # This is for the copr backend, which is a little different.  The
        # "cert-prefix" is just "copr", and is hardcoded in
        # backend/dispatcher.py.  The hostname is also a little different,
        # since it is an openstack node.  This might be a little fragile.  :/
        # See https://github.com/fedora-infra/fedmsg/issues/199 for the plan.
        ("copr.dhcp-client03", "copr-copr-be.cloud.fedoraproject.org"),
        ("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"),
        ("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"),

        # Jenkins, also being a cloud node, is weird.  Like copr.
        ("shell.jenkins-master-unknown", "shell-jenkins.fedorainfracloud.org"),
        ("jenkins.jenkins-master-unknown", "jenkins-jenkins.fedorainfracloud.org"),
    ]),
)

